October 08, 2012

There is no doubt that the HITECH Act has been an important catalyst in helping jettison the healthcare industry into the 21st Century. A change that was desparately needed but one which would NOT likely have come about without a little help from Uncle Sam.

Interviewed regarding his new book, The New New Deal: The Hidden Story of Change in the Obama Era (Simon & Schuster), TIME magazine correspondent Michael Grunwald, sez the following about HITECH:

A central pillar of that mammoth, $800 billion dollar legislation, of course, is devoted to digitizing the nation's medical records and rewiring healthcare for the 21st century...

Although I agree with Michael that the Obama administration deserves credit for taking advantage of the political climate to "sneak this through," the reality is that some of the best and brightest had been working on the problem (both private and public sectors) for well over twenty years.

No one that knows anything about how Washington works believes that this huge piece of legisation sprang into existence after Obama took the oath of office.

October 14, 2011

Results of a new study from Manhattan Research reveal that an estimated 56 million U.S. consumers have accessed their medical information on an EHR system maintained by their physician. An additional 41 million consumers are interested in accessing such information, according to the pharmaceutical and healthcare market research company’s Cybercitizen Health U.S. 2011 study of consumer digital health trends.

Patients have always had the right to access their PHI (post HIPAA), we wrote about the Privacy Rule sections that provide for this access in our Patient's Bill of Rights post. The HITECH Act expands this access under Section 13405 now allowing for treatment, payment and operations (TPO) usages to be disclosed for the past three years as well (i.e. provided that an EHR is in use).

Covered entities and business

are well advised to have a

streamlined process in place to

provide timely access to PHI.

Covered entities and business associates are well advised to have a well defined process in place for providing this access or they could quickly find themselves in "willful neglect" land. The engaged patient is not going away any time soon. With the boomers retiring en masse you can be sure that this trend is likely to grow significantly.

August 30, 2011

This article explores the healthcare industry's emphatic adoption of cloud computing and the benefits and risks of moving to the cloud, including those directly related to HITECH / HIPAA Compliance.

What is the cloud?

The answer to this question is not as straightforward as it may seem because of the confusing jargon surrounding private clouds, public clouds, and community clouds. Here's a good overview of cloud computing. For the purposes of this article we are speaking of the benefits and risks associated with the public cloud. The public cloud is what most mid-sizecovered entities and business associates are likely to find economically feasible (i.e. only larger organizations have the economic clout to pursue the private cloud option).

Is the healthcare industry moving to the cloud?

Yes, the healthcare industry is moving to the cloud in a big way and we applaud the move. Cloud economics will contribute to bending the healthcare cost curve, although not nearly as much as creating a functional healthcare marketplace based on patient outcomes and transparent pricing (something we are not likely to see anytime soon).

Dr. Halamka does an excellent job in this post in making the argument as to why the healthcare industry has been slow (understatement) to adopt enabling technologies. Fundamentally, his argument can be summarized as a "structural" justification for slow adoption. The industry simply had no real incentive to adopt enabling technologies, the status quo worked just fine (not really) thank you very much.

The movement of the healthcare industry to the cloud is unstoppable, but this should not obscure the real downside risks that must be managed as part of this process. Generally the risks are a direct result of losing control of mission critical applications and infrastructure. Before discussing the risks let's highlight the real benefits that the industry is likely to derive from cloud computing.

Business associate compliance with the required sections of the Security Rule were to go into effect one year post the enactment of HITECH, however, HHS (circa February 2010) delayed the compliance effective date for business associates, apparently to provide a little more breathing room to the impacted entities.

However, the requirement that business associates comply with the Security Rule is not going away, and therefore should be made part of the Business Associate Contract. The question for a covered entity that is moving to the cloud and sharing PHI is "how does it go about performing the required business associate due diligence?" Simply asking whether the business associate complies with the Security Rule and incorporating mandatory compliance into a contract is not likely to be enough. A better approach is to automate the business associate due diligence process using questionnaires as exemplified by The Guard.

Regardless of how it is accomplished, a covered entity must perform sufficient due diligence to ensure that its PHI will be managed according to applicable law. A rigorous process is required in addition to the requisite contractual language if covered entities want to avoid a finding of willful neglect.

August 16, 2011

The healthcare industry is moving to the cloud in a big way and we applaud the move. Cloud economics will contribute to bending the healthcare cost curve, athough not nearly as much as creating a functional healthcare marketplace based on patient outcomes and transparent pricing (something we are not likely to see anytime soon).

Dr. Halamka does an excellent job in this post in making the argument as to why the healthcare industry has been slow (understatement) to adopt enabling technologies. Fundamentally, his argument can be summarized as a "structural" justification for slow adoption. The industry simply had no real incentive to adopt enabling technologies, the status quo worked just fine (not really) thank you very much.

There are many areas of risk that need to be managed but this post will focus on a particular risk that is quite subtle, and will impact healthcare more than any other industry. If you are using a SaaS application on the public cloud you just lost control of your application rollout strategy.

Vendors Control the App Rollout Strategy in a SaaS World

There is nothing more disconcerting than to have a SaaS vendor entirely change the user interface and underlying process of what you do in a mission critical application. The first time you are faced with this issue will be a rude awakening into one of the ugly downsides of the SaaS model.

Vendors have a market need to continue to evolve their offerings or risk losing market share. Users on the other hand become quite comfortable in doing things in a particular way and often have the attitude of "please don't fix what isn't broken." Why? Primarily because we (as users) only have so much bandwidth and would prefer not to climb yet one more learning curve.

This problem is compounded in healthcare, especially with clinical applications. Why? Because mistakes in healthcare kill people and this kind of change to a work process is likely to cause mistakes. Sure, you will get some warning that the application is about to change, BUT your training schedule will have to conform to the vendor's rollout strategy, something that is not likely to set well with clinicians.

We have gone through this process several times and it has been painful on each occasion. That said, we are still huge believers in the cloud because its benefits out weigh the costs, but that doesn't obviate the fact that the costs are quite real.

The potential to leverage best practices surrounding security and encryption.

The availability of large and centralized de-identified data-sets available for multiple uses including predictive analytics.

A robust communications infrastructure for home healthcare monitoring applications to plug into.

A transaction/usage based pricing model for state of the art hardware and software that enables the distribution of previous fixed upfront capital costs more evenly across time.

In short, we are big proponents of cloud computing and feel that the underlying economics far out weigh the downside risks. That said, you need to be aware of the risks because all is not "sweetness and light" in cloud computing land. Many of these risks can be mitigated with rigorous planning and common sense strategies.

However, the required rigorous planning probably won't get done due to implementation pressures and experience teaches us that common sense if often not all that common. This is especially true with respect to technologies whose organizational complexity is often hidden.

If you are a compliance professional you need to work closely with your technology organization to ensure that HITECH / HIPAA Compliance is not compromised when you move to the cloud. Below are some of the issues you need to consider in order to mitigate the risks related to losing control of your critical IT systems and infrastructure.

Disaster Recovery

Do you know what steps you will take if your mission critical cloud services go down? What are your backup plans for getting access to your applications and data? Remember, having redundant access to your data may not be enough, especially in those cases where your infrastructure and applications both reside on the cloud. In general, what you need is "hot swappable" redundant access for all mission critical systems hosted on the cloud, yet the cost of this redundancy may not be readily obvious.

Contractual Obligations

Moving your IT operations to the cloud in a significant way implicates a number of contractual issues your organization may not have faced before, including those pertaining to HITECH / HIPAA Compliance. For example, if you are sharing PHI with your cloud partners then you are required to have a Business Associate Contract in place with each. This contract is mandated by law and not optional. Many of the requisite contractual clauses are specified by statute/regulation. In addition, there are a host of non-compliance issues you may want to manage in the same contract (i.e. to avoid having duplicate contracts with each cloud partner) including, but not limited to, the following:

In short, the compelling economics that underpin cloud computing are not without some significant downside risks. These risks can be managed contractually but this adds an administrative cost that is often lost (i.e. not obvious) in the rush to dramatically cut IT costs.

August 01, 2011

This article addresses the kinds of information that must be tracked in order to receive your EHR Incentives under the meaningful use stage 1 requirements. Clearly there is quite a bit of information that needs to be tracked, most of which will be coming from a provider's EHR system. However, the information in an EHR system is not static. Therefore, providers must capture all required information to legally attest to HITECH Act compliance as a snapshot in a point in time, which is not a trivial task given the complexity of the objectives.

We assume that most readers are now familiar with the concept of meaningful use, but we will nonetheless provide a brief introduction to set the stage. We will also discuss other issues regarding meaningful use such as the attestation process, CMS audits, and tools that can help you comply. The focus here will be on Stage 1 meaningful use objectives and measures. Stages 2 and 3 remain too ill defined to warrant further comment at this time.

July 20, 2011

Amid the move by physicians and hospitals to adopt EHRs, patients remain concerned about the security of their personal health information. That’s the high-level finding of an online survey conducted in early May among more than 2,700 U.S. adults by Harris Interactive on behalf of Xerox Corporation.

The pressure to comply with the HIPAA Security Rule is likely to come more from consumers than HHS. As we continue to see more high profile breaches consumers are going to continue taking notice.

The risk of non-compliance is as much a business/reputational risk as it is a purely legal risk. In fact, I would argue that the reputational risk to covered entities and business associates is far greater. Historically, patients have been almost entirely left out of the business equation because patients generally don't pay (at least the lion's share of) fees. From a business perspective they have been ignored. With the advent of new healthcare business models, this will no longer be the case. Repuatation will matter to the bottom line. You can take that to the bank.

We will see this phenomenon play out over the next several years as the healthcare industry makes the move to EHRs, mobile, online portals, etc.

July 05, 2011

What Does It Mean to Legally Attest?

Essentially an eligible professional ("EP") or eligible hospital ("EH") will be signing a legal document (electronically), probably under penalty of perjury, that they have met the Stage 1 Meaningful Use Requirements (see this presentation and/or spreadsheet for a more readable format of the objectices and measures) and are therefore entitled to receive their EHR Incentives. Each EP (e.g. doctor) in a private practice will need to make this attestation. Therefore's each doctor's compliance efforts will have to be tracked separately. EPs and EHs need to be careful regarding who they listen to with respect to this legal obligation. Both the EHR vendors and CMS have a vested interest in over simplification, given their respective agendas, which can more or less be summarized as encouraging the rapid adoption of certified meaningul use technologies. This does not, standing alone, imply sinister motives on the part of these organizations, but neither should it encourage a cavelier attidude toward a legally binding agreement on the part of EPs and EHs. After all, it is NOT the EHR vendors or CMS that is signing under penalty of perjury.

June 21, 2011

The answer to this question in the past was probably no one. Why? Because HIPAA prior to the HITECH Act was a dead letter, a law that was on the books but essentially not enforced Although HHS' enforcement efforts under HITECH has not been very agressive to date (understatement) that is something that is likely to change. The U.S. government will be handing out millions (if not billions) of dollars in EHR incentives and simpy cannot afford to look the other way regarding privacy and security.

Cybersecurity is becoming a big deal in Washington and the recent attacks will likely add fuel to the fire. In short, in the 21st century privacy and security are consumer issues that refuse to go away. The healthcare industry has largely gotten a pass so far, but there is no way that this status quo can be maintained.

So who needs HIPAA Compliance Software? The answer to this question now is all business associates and covered entities. There is simply no way that legacy manual methods of tracking HIPAA Compliance will suffice. Spreadsheets and other documents standing alone will also not get the job done. The bottom line is that HIPAA Compliance Software, like a high quality EHR, will become a cost of doing business. Taking an ostrich approach to the problem will only defer the pain.